Vulnerability of LTE networks for mission critical use

Dr Dave Sloggett explores some of the issues that arise from a security viewpoint with the adoption of LTE-based architectures by public safety organisations

Shares

As night follows day, network technology advances. As 4G systems are becoming embedded in our day-to-day lives the 5G systems are beginning to appear over the horizon with some slated for introduction in 2020. The speed with which such developments are occurring is breathtaking.

It was not that long ago that the earliest generation of systems was first introduced. A key moment in the development of networking technologies was the introduction of the General Packet Radio Service (GPRS), which formed the basis for 2G and 3G mobile communications systems.

Arguably the latest significant development in cellular networking technologies is the introduction of the 4G UMTS Long Term Evolution (LTE) architecture. Its potential to offer new high-definition voice and video-based services offers users new ways of accessing content.

Users are eager to benefit from such developments. The ubiquity of technology and its developments is rapidly moving the world online. As each new development is introduced the user take-up in the western world has been rapid.

In the not-too-distant future people across the world will be able to access content including videos, radio channels and other information channels at a time and place of their choosing. The digital age will truly have arrived, benefiting mankind in ways that at present we can only imagine.

Cyber security

This, however, is only one vision of the digital age. Beneath its surface lies a pernicious, anarchic and dark element of the ways of exploiting the digital age. Criminals, terrorists and governments inhabit this space looking to use the information passed over the networks for reasons that are not necessarily beneficial.

It is therefore axiomatic that as technological developments create new possibilities, the solutions adopted need to be even more secure, especially when the information passing over the networks could be exploited by groups seeking to do harm to society.

One specific and contemporary example of that is the move by many governments towards using commercial mobile networking systems to provide the backbone of their public sector emergency services communications systems’ capabilities.

While the logic and potential cost benefits of piggy-backing onto existing networks makes (some) sense as an alternative to dedicated networks, the wider ramifications of any move need to be carefully considered. The adoption of LTE-based technologies carries some risks.

However, such is the attraction of this new capability that the United States has reserved paired spectrum in order to allow LTE-based technologies to be adopted for the public safety network.

The potential to move images around the network during an incident is one that is attractive. In what is always a chaotic situation, having the ability to use every first responder vehicle as a potential source of situational awareness information is attractive.

As camera technologies have evolved to allow first responders to wear devices that can stream video of an incident, new paradigms for the ways in which incidents are managed have evolved.

Given these tangible benefits, the US is unlikely to be alone in rolling out LTE technologies for its emergency services. South Korea has also announced similar plans, and the decision on the replacement of the Airwave Network in the United Kingdom is likely to follow a similar route.

Lack of LTE encryption

Whereas 3G technologies had built-in encryption, LTE has no such embedded capability. This is important for the emergency services community. The current LTE standard also does not provide a number of features with which the emergency services have become accustomed, such as mission critical push-to-talk (MCPTT).

This will not be appearing until Release 13 of the standard developed by 3GPP – the body responsible for the development of the standards by which LTE will work.

With LTE-based architectures the onus for the protection of data is specifically placed on the user. In 3G systems security started with the user and was terminated deep inside the network. The 3G systems also benefited from the inherent security offered by the use of Time Division Multiplex (TDM) technologies. For LTE users the encryption of their data ends at the base station.

This radical transformation of the architecture of the next generation of networks has profound implications for users.

As governments across the world seek to harness the benefits of the digital age by placing more and more services online, the risks posed to those users of their personal data being exposed to criminal groups increases.

Whereas users have been able to take security almost for granted in the 3G era, its next evolution in the form of LTE requires that all users think very carefully about the associated risks that occur with the adoption of the new technologies.

IPsec solution

Recognising the issue of security, those responsible for developing the 3GPP mobile standard have suggested that IPsec should be used from what is called in LTE space the E-UTRAN Node B (eNode B) – the equivalent of the base station in previous architectures – across the network. Its introduction also saw the eNode B delegated the functionality that had been previously built into the radio network controller (RNC).

Moving the emphasis for security to the end user does carry some overheads. Any security overlay has to be embedded within the mobile devices that are being attached to the networks. This carries with it cost overheads. Some network operators took a highly pragmatic approach to this problem.

In Africa, for example, what could be said to be a fragile/nascent mobile market could not stand the additional costs associated with the introduction of LTE technologies. By the end of 2013 none of the United States carriers had introduced any form of security in their LTE-based networks.

By contrast, in Europe several companies took a different approach, recognising that users would expect some form of encryption to be available. Deutsche Telekom was one organisation that advocated a policy that any of its affiliates should deploy IPsec at all LTE sites.

Telecomm Italia is one network operator among a growing number that also advocate using the same approach. In 2014 Europe became recognised as the leader in the adoption of the security overlay proposed by 3GPP. It is likely that over time where Europe leads others will follow.

What then are the drivers for mobile operators to adopt IPsec as the means for encrypting end-user data? One of the most important is the vulnerability of the network control protocols themselves.

This provides additional ways in which someone seeking to conduct an attack on the network might succeed in disrupting its services. This is in addition to the attacker also using access to the network to compromise the streams of data being passed between nodes.

As criminals have shown the capability in the past to listen in to the emergency services radio spectrum, so they could move into the LTE space and be aware of emergency services activity. The frightening image of terrorists choosing to use information derived from LTE security vulnerabilities to attack emergency services vehicles responding to a terrorist attack moves from the world of science fiction to reality.

These vulnerabilities pose a threat to network operators’ revenue streams and reputation. They also pose a significant threat to future revenue earning potential. These alone are very significant considerations for mobile operators the world over that are likely to further create a push to adopt LTE technologies. It would seem that the next dawn of the digital age has truly started to break. The question is will it be a secure one?

Recent examples of mobile network security breaches

Norway: IMSI detach attack

In 2014, Norwegian newspaper Aftenposten tracked active illegal mobile surveillance equipment in Oslo. It revealed that secret, fake base stations, or IMSI-catchers, were being operated near important buildings in the capital, including the Parliament building (pictured above), enabling them to undertake what are known as ‘IMSI detach attacks’ on mobile phones.

Using the German-made CryptoPhone 500, Aftenposten journalists working with two security companies, Aeger Group and CEPIA Technologies, monitored and disclosed a number of locations in the city with suspicious mobile activity. They were able to detect fake transmitters, which had the ability to register all mobile phones within their reach.

The fake base stations first collect data from the mobile phone’s Sim-card. Once detected, the IMSI-catcher can then eavesdrop on certain conversations. It will then transmit the call on to the real GSM-system, but anyone listening in can hear the entire conversation.

According to Aftenposten’s report, the fake base station may also register SMS-messages and install spyware, which enables someone to switch on the microphone. The mobile phone may then be used for monitoring rooms or offices.

GSM networks are vulnerable to IMSI detach attacks. 4G networks are not, but can become equally vulnerable when integrated with 2G and 3G networks to enable circuit switched fall back. This occurs when a voice over LTE transmission has to ‘fall back’ onto 2G or 3G if it moves beyond the range of an LTE base station.

Ukraine: SS7 attack

Earlier this year (2015), AdaptiveMobile highlighted a report issued in May 2014 by NKRZI, the Ukrainian telecom regulator, detailing how in April 2014 some subscribers on the MTS Ukraine mobile phone network were affected by suspicious/custom SS7 packets from telecom network elements with Russian addresses, causing their location and potentially the contents of their phone calls to be obtained.

Signalling System 7 (SS7) is a catch-all term for a telecom network technology that is used by hundreds of cellular companies to allow them to operate and communicate with each other; it is the computer protocol used by telecom nodes within cellular networks to provide mobility control, network registration, call and text setup etc.

The ‘attacks’ outlined in the document involved SS7 packets being sent between the mobile operators. What occurred is that a series of SS7 packets were received by MTS Ukraine’s SS7 network, which modified control information stored in network switches for a number of MTS Ukraine mobile users.

When someone tried to ring one of the affected mobile subscribers, their call would then be forwarded to a physical landline number in St Petersburg, Russia, without their knowledge – in effect the call has been intercepted.

A Washington Post article suggested that the forwarded-to number could have initiated a new call to the original targeted subscriber, and then conference in the intercepted call, thus allowing itself to listen in to the call without the participants being aware.

AdaptiveMobile said: ‘The SS7 network is working as designed, but “bad actors” are increasingly trying to exploit it.’ It added that work is being done to secure SS7, but warned: ‘No one should doubt the amount of work and effort that will be required to completely secure the SS7 network from organisations that would seek to exploit it.’